Types of due diligence

  • Release version: Yokohama
  • Updated March 12, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Types of due diligence

    Due diligence is a critical process where multiple types of assessments are conducted to evaluate third parties before engagement. The specific types of due diligence performed depend on the engagement’s nature, criticality, and associated risks. These assessments help ServiceNow customers mitigate risks related to security, finance, legal compliance, operations, and reputation.

    Show full answer Show less

    Key Types of Due Diligence

    • Information Security Due Diligence: Evaluates the third party’s data protection, cybersecurity measures, incident response, encryption, and employee training to protect sensitive information and reduce data breach risks.
    • Financial Due Diligence: Assesses financial health by reviewing statements, profitability, liquidity, debt, and cash flow to ensure the third party’s financial stability and capacity to fulfill obligations.
    • Legal Due Diligence: Examines contracts, licenses, permits, and regulatory compliance to identify legal risks, liabilities, or ongoing litigation that may affect the organization.
    • Operational Due Diligence: Reviews operational infrastructure, supply chain, production, and quality controls to confirm the third party’s ability to deliver required products or services.
    • Compliance Due Diligence: Verifies adherence to laws, regulations, and industry standards including anti-corruption, data privacy, environmental, and labor practices to prevent compliance gaps and reputational damage.
    • Reputation Due Diligence: Assesses the third party’s integrity and past performance through background checks, references, media searches, and ethical considerations to ensure alignment with organizational values.

    Using ServiceNow for Financial Due Diligence

    ServiceNow’s Third-party Risk Management (TPRM) capabilities support financial due diligence through:

    • Prebuilt questionnaire templates for financial data collection via external assessments through the third-party portal.
    • Due Diligence Request (DDR) workflows to coordinate internal reviews, external assessments, approvals, and contract risk checks.
    • Reports and dashboards that track active requests, aging items, and completion timelines for effective monitoring.

    These features are accessible through the Vendor Management Workspace under the Risk tab by selecting due diligence management stages and managing DDR records. Creating assessments allows sending financial questionnaires or document requests directly from DDR or Assessment records.

    Note: To enable preconfigured workflows and the Risk Concentration Map, activate the Third-party Risk Due Diligence plugin (com.sntprmdd) within ServiceNow.

    In the due diligence process, you typically conduct several types of due diligence to gather relevant information and assess various aspects of the third party. The particular types of due diligence that you conduct vary depending on the nature and criticality of the engagement and the risks involved.

    Information Security due diligence

    Information security due diligence is critical. It involves evaluating the third party's data protection practices, cybersecurity measures, and information handling processes. This includes assessing their data security policies, incident response capabilities, encryption practices, and employee training on data protection. The objective is to safeguard sensitive information and mitigate the risk of data breaches or unauthorized access.

    Financial due diligence

    Financial due diligence involves assessing the financial health and stability of the third party. It includes reviewing financial statements, analyzing profitability, liquidity, debt levels, cash flow, and other financial indicators. The goal is to understand the financial viability of the third party and help ensure that they have the capacity to fulfill their obligations.

    Legal due diligence

    Legal due diligence involves examining the legal and regulatory compliance of the third party. It includes reviewing contracts, agreements, licenses, permits, and legal documents. The purpose is to identify any legal risks, liabilities, ongoing litigation, or regulatory non-compliance that could impact your organization's interests.

    Operational due diligence

    Operational due diligence focuses on assessing the operational capabilities and processes of the third party. It involves evaluating their infrastructure, facilities, supply chain, production processes, quality controls, and capacity to meet your organization's requirements. The goal is to help ensure that the third party can effectively deliver the desired products or services.

    Compliance due diligence

    Compliance due diligence involves verifying the third party's adherence to applicable laws, regulations, and industry standards. It includes assessing their compliance programs, policies, and procedures related to areas such as anti-corruption, data privacy, information security, environmental practices, and labor standards. The objective is to identify any compliance gaps or risks that could result in legal or reputational issues for your organization.

    Reputation due diligence

    Reputation due diligence focuses on evaluating the third party's reputation, integrity, and past performance. It involves conducting background checks, reviewing references, searching for news or media coverage, and assessing any past controversies or ethical issues. The purpose is to help ensure that the third party has a positive reputation and aligns with your organization's values and expectations.

    Financial due diligence example

    Financial due diligence evaluates a third party or engagement's financial health and stability. Third-party Risk Management supports this process by providing:

    • Questionnaire templates with financial questions and document requests that you can send to the third party or engagement using an assessment through the third‑party portal.

      For more information see, Sample questionnaires and Create an external assessment.

    • Due Diligence Request (DDR) workflows that orchestrate internal review, external assessment, approvals, and contract risk checks.

      For more information see, Due diligence workflow.

    • Reports and dashboards to track active requests, aging items, and completion timelines.

      For more information see, Monitoring the due diligence request process.

    Access these features by navigating to the Vendor Management Workspace:

    1. Go to Workspaces > Vendor Management Workspace. On the Risk tab, select the due diligence management icon .
    2. On the Due diligence management page, select a stage (IRQ, Due diligence, Approvals, Contract risk, Final review, Closed) to view actionable lists.
    3. Open a Due diligence request record to manage the workflow.
    4. To send financial questionnaires or document requests from a DDR or an Assessment record, create an assessment.
    5. Use the Due Diligence Management page to monitor status and aging.

    For more information see, Monitoring the due diligence request process and Create an external assessment.

    Note:
    Activate the Third‑party Risk Due Diligence plugin (com.sn_tprm_dd) to enable preconfigured workflows and the Risk Concentration Map. For more information, see Configuring Third-party Risk Management and Enable the TPRM Risk concentration map.